HANDLE WITH CARE. IF YOU DISPOSE OF A BOARDING PASS – SHRED IT! THE INFO THAT CAN BE LEARNED AND MANIPULATED FROM A BOARDING PASS BARCODE IS TERRIFYING!
I read a Krebs on Security article today entitled What’s in a Boarding Pass Barcode? A Lot, and I was truly horrified. If the wrong person gets his or her hands on a boarding pass, volumes of information can be learned about the passenger – information potentially sufficient to hack the passenger’s frequent flyer accounts.
The Krebs Article states, in pertinent part:
The next time you’re thinking of throwing away a used boarding pass with a barcode on it, consider tossing the boarding pass into a document shredder instead. Two-dimensional barcodes and QR codes can hold a great deal of information, and the codes printed on airline boarding passes may allow someone to discover more about you, your future travel plans, and your frequent flyer account.
Here’s where it gets really scary. In addition to the information blatantly printed on a boarding pass, such as name, frequent flyer number, flight number, etc., all you need is a simple barcode decoder, and you can get the passenger’s flight record locator for the flight. In this case, the boarding pass was for a Lufthansa flight. But the free information didn’t stop there. With the record locator, the investigator was able to gain access to the passenger’s entire account, including any future flights booked to his frequent flyer number on any Star Alliance airline. With this information, the investigator could get other personal account information for the passenger, such as his phone number.
Does it stop there? NO. It only gets scarier. With this information, the investigator could make seating or meal changes for the passenger, could change the passenger’s PIN number and could even change or cancel future flights.
Photo: http://krebsonsecurity.com/2015/10/whats-in-a-boarding-pass-barcode-a-lot/
Is this scaring you? It’s certainly scaring me. I once had my United Airlines account hacked (See, Fraud: My United Account was Hacked). Not only did the hacker fly on my frequent flyer points (which United thereafter reinstated to me), but he also made hotel plans and tried to convert the miles into Amazon gift cards.
Do you want to see what’s on your Boarding Pass? Take a photo of it and upload it to this barcode scanner website.
A New York frequent flyer who elegantly combines her passions for worldwide travel, running a gazillion marathons all over the globe and staying fit ... without sacrificing her fancy for good wine and food.
I’ve always saved and shredded mine, just to be on the safe side. Now I’m glad.
People also need to be careful about emailing itineraries. Someone’s travel agent accidentally emailed me their itinerary which gave A LOT of info and would have allowed someone to potentially change/cancel their trip.
and then there’s the emailing of itineraries and boarding passes to get credit for flights….?
Very good to know. I will now treat my boarding passes with more care while traveling and afterwards. Amazing to think how many are probably left in hotel rooms and rental cars, or tossed in a trash can! Thanks for the warning; duly noted.
How do we know that uploading our bar codes to some random website is secure?
Exactly. I would be way more concerned about uploading my barcode to that site than having someone pick up my discarded boarding pass and doing something with it!
I see a lot of opinions here, and I thank everyone for that. I’m just learning.
You can download an app to your smart phone or tablet that will read the barcode so that the data stays local to your device. I like the one from Mantee works.
I scolded someone for sharing a photo of their smartphone boarding pass via twitter. I decoded it with my phone on the screen and told him that I knew he was an AAdvantage Gold member and quoted his number. So don’t do that! Of course, I you still need a password to access the account.
BTW, this is why I refuse to allow Target or any store to scan my drivers license when purchasing age restricted items like cold medicines, wine, beer, etc. They use a barcode scanner to read the 2D drivers license, or they swipe the magnetic stripe. The idea is to capture only the date of birth and ignore the other items and show evidence to regulators that an ID was checked.
Of course, the act of scanning the barcode will read all data and we all know what can potentially happen with “loose data” at stores. The workaround at Target is to have a supervisor manually key in the birthdate. The cashier cannot key in the date themselves. Or you can use a passport card which when scanned only has the ID number and no other data. Again, a supervisor will have to manually key in the date, but without a drivers license, nothing can be scanned.
interesting. I also have a bar code reader app on my iphone, but haven’t used it yet.
That should say Manatee Works. You need a barcode scanner that handles PDF417, Datamatrix, and/or Aztec formats to decode boarding passes. Most mobile apps seem to only handle QR and UPC type bar codes.
I have only been using boarding passes on my phone for a while now, no more paper ones for me.
I can bring them up right from my airlines app. No need to email them.
I had always been careful about boarding passes, but what about the tags the airline puts on checked bags? I have been shredding them because my name comes up on them, but I wonder if that is ‘going off the deep end’.